New Features And Enhancements In Release 125.0.0

Windows Service Separation Integration

Endpoint SD-WAN Client now displays its running status in:

• Tool Tip

  

• Services menu

  

• Netskope Client Configuration window

  

Supported Minimum Client Version: 125.0.0

To learn more: Using Netskope Client.

AI Coverage Capability for Atlassian Confluence and Jira

Added new AI Post activity for Atlassian Confluence and JIRA AI features. This activity can detect DLP/Threat, constraints, and app instances.

Miro Login Detection

We now provide “Login Successful” activity for users that sign up and log in via an email link, without the need for a password. In addition, “Login Failed” activity when a link expires is captured.

Microsoft O365 AppSuite Policy

Domains ending with “.office.com” and “.cloud.microsoft” are now categorized under the Office365 app suite.

Introducing the “App Catalog”

The Cloud Confidence Index (CCI) is a core concept from Netskope that helps customers evaluate the risks of using SaaS applications through a Cloud Confidence Level (CCL) score.

In release 124, we enhanced the main CCI menu to include direct access to Cloud Firewall Applications (and their CCL scores for hybrid applications).

This main menu not only provides visibility into Cloud App details but also incorporates Cloud Firewall Applications. Therefore, we are rebranding the CCI terminology from “Cloud Confidence Index” to “App Catalog” to reflect its role as the central hub for all application types.

The “Cloud Confidence Index” terminology does not disappear and will remain visible in Cloud App specific pages.

Support for Application Instance Detection

Admins can tailor Real-time Protection Policies to specific application activities. Depending on individual corporate security requirements, these security rules may be enforced on particular application instances. However, certain activities may fail to detect these application instances, resulting in improperly enforced security measures.

To enhance clarity regarding application activities where instance detection is not possible, a list of activities that support application instance detection is now available for each application in the corresponding CCI page view.

CRUD Operation Support for DNS Profile

This enhancement supports CRUD (Create, Read, Update, and Delete) operations to manage DNS profiles using REST API v2. This allows for automation and streamlines management of DNS profiles through the REST API v2 interface.

DNSaaS Resolver

As part of Netskope’s commitment to both securing its customers and delivering superior connectivity infrastructure, we are now offering our own recursive DNS servers, also known as DNSaaS. This service goes beyond DNS resolution by providing comprehensive DNS security. With Netskope DNSaaS, enterprises can route their DNS queries through Netskope-managed IPs, enabling the application of security policies, including business and security category-based filtering.

DLP for CFW (Only FTP)

DLP for FTP supports large files scanning and allowing you to restrict data exfiltration over FTP. Full scale DLP capabilities can be applied on FTP traffic and incidents can be generated for FTP flows. DLP for FTP is a licensed feature.

On-Prem Stitcher Support

Enhanced serviceability for the Cloud TAP stitcher tool, providing various performance-related and reliability-related statistics in the Cloud TAP stitcher logs.

Cloud Storage Timeout and Retry Configuration

Enhanced the Cloud TAP stitcher CLI with new options for configuring cloud storage timeout and retry settings for improved flexibility and resilience.

Support for Additional File Types

This release includes support for over 93 additional file types accessible through the DLP file filter. Newly supported file types include:

• ML_Model_Fmt

• TensorFlow_Lite_Fmt

• Photoshop_Pattern_Fmt

• AppleWorks_GS_Fmt

• Visio_Fmt

General Availability of DEM Dashboard for Email DLP Service

Added a DEM dashboard for the Email-DLP service. It provides visibility into the health and performance of the Email service and helps in troubleshooting the email delivery issues faster.

For more information, see Email Outbound.

Bluetooth Content Control

Bluetooth Content Control (Windows-only) is now available as a Controlled-GA feature. This feature allows files to be examined by DLP policy before they are transferred via Bluetooth File Transfer.

User Invitation Feature

The Enterprise Browser user invitation feature is enhanced to include search functionality. Admins can now search for other users by email when inviting them to use the Enterprise Browser.

Company Workspace Section

Enterprise Browser “New Tab” has been redesigned to improve user productivity. “New Tab” now contains 2 sections: “Company Workspace,” which contains the collection of bookmarks relevant to each user group, as configured by the tenant’s admin to improve productivity.

Below, users can find the other section, “Personal Workspace,” which contains bookmarks created by the EB user and their most visited sites.

Update to Existing Error Message

Enhanced the error messages during Enterprise Browser profile creation, to provide users a description of the error and suggest next steps. For example, when the user license is not valid: License not Found is now updated to License not found. Please double check the license details

Netskope Log Streaming

Netskope Log Streaming enables seamless, scalable, and flexible log delivery to customer-managed cloud storage.

Update for the URL Lookup API

Enhanced the URL Lookup API (/api/v2/nsiq/urllookup) to include apps associated with a particular domain. Key features include:

Updated API Response Format

Enhanced the API response format to include additional information, such as a new key called “app” in addition to “site”. The “app” key is only populated with app traffic from CCI. If there is no CCI match (web traffic), then there will be an empty string.

Category Type Parameter

Introduced a new optional request parameter (“category type”) with the following options:

• CASB and SWG (default)

• CASB

• SWG

“Any Web Traffic” with DLP and Threat Profiles in RTP

This feature introduces changes to policy behavior specifically for “Any Web Traffic” policies, including:

• Any Web Traffic without Source criteria

• Any Web Traffic and DLP

• Any Web Traffic and TSS

Chrome Extension Support for Injecting Headers

We have added the ability to inject headers in WebSocket connections via the Netskope Chrome extension.

Chrome Extension Support for User Notifications

Version 125.0.0 of the Netskope Chrome Extension now adds support for user notifications and the corresponding configuration settings.

Version 125.0.0 Release Candidate of Chrome Extension is published at the same time as the Cloud Deployment. See Netskope Chrome Extension (RC).

Version 125.0.0 of the Chrome Store will be upgraded 2-3 weeks later unless an issue is identified with the Release Candidate.

To learn more: Cloud Explicit Proxy for Chromebooks.

NPA Browser Access through Enterprise Browser

NPA Browser Access Private Apps can now be accessed via Netskope’s Enterprise Browser solution. This allows for seamless integration of both NPA Browser Access and SaaS applications within the Netskope Enterprise Browser.

Note that browser-level controls provided by Enterprise Browser, such as copy/paste and print screen, are not yet applicable for NPA applications.

Explicit Proxy Configuration Support on a Publisher

Starting with Publisher version R125, Netskope introduces support for Explicit Proxy Configuration for NPA Publishers. This feature allows Publishers to route traffic to dependent services (like Stitcher, management services, OS and container updates) via a customer-specified HTTP(S) proxy, while continuing to exclude Private Applications from proxy routing.

Key Highlights

• Proxy configuration can be enabled via the Publisher Wizard interface or embedded into the Publisher token.

• Settings are stored and applied to system components like APT and Docker.

• Proxy Bypass List supports FQDNs, wildcards, IP addresses, and CIDRs. 127.0.0.1 and localhost are auto-included.

• Supports standard HTTPS proxies without authentication and without SSL inspection.

• Enhances deployment flexibility for environments with strict egress firewall rules.

Publisher support for Ubuntu 22.04 LTS

We are pleased to announce General Availability (GA) support for Ubuntu 22.04 LTS with the Netskope Private Access (NPA) Publisher.

Key Highlights

• NPA Publisher is now fully compatible with Ubuntu 22.04 LTS, in addition to previously supported OS versions.

• All core functionality, including private application access, upgrade operations, and proxy support, is validated on Ubuntu 22.04.

• You can now confidently deploy Publishers on newer infrastructure stacks running the latest Ubuntu long-term support release.

Benefits

• Support for the latest stable OS version enhances long-term maintainability and security.

• Aligns with modern IT environments and customer OS standardization efforts.

Availability

• This support is available for all customers starting with Publisher version R125 and later.

Private Applications Across Multiple Netskope Tenants

Users can now access Private Applications across multiple Netskope tenants, such as from a managed service provider, partner or third-party organizations, without needing to unenroll or uninstall the Netskope Client for up to 20 different tenants. With a simple switch in the Client UI, users can toggle between their primary and partner tenants in one click.

Key Capabilities

• Multi-Tenant Access: Seamlessly switch between partner organizations to access authorized private resources.

• Client UI Enhancements: View current tenant details and a submenu listing all available partner tenants.

• No Reinstallation Required: Eliminates the need to unenroll/reinstall the Netskope Client when switching tenants.

Use Case Example: Ideal for users working with suppliers, contractors, or joint ventures that also utilize Netskope, ensuring secure access to partner-hosted private applications without disruption.

To learn more: Using Netskope Client.

Supported Minimum Client Version: 125.0.0

Updated Limit for Publishers per Private App Definition

The maximum number of Publishers that can be configured for a tenant per Private App or App Discovery can be increased from 16 (default) to a maximum of 64.

Supported Minimum Client Version: 116.0.0

Classic Reports

Classic reports documentation will be replaced with Reports, aka Reports (New Experience). All classic reports users must migrate to Reports after the 90 day migration period. Classic reports will no longer be accessible after the migration period. Your admin can decide when to start the migration period.

Classic reports documentation includes:

Reports (New Experience) includes:

When you log in to your account and view Reports, you will see indicators in the UI alerting you to the migration countdown.

IMPORTANT: You must preserve any historical runs from legacy reporting platforms by downloading them locally. All historical runs will not be available after your migration period ends (90 days). Your migration period depends on your countdown start date. Log in to your account to view details.

To learn more: Migration workflow

General Availability of Endpoints Specific Allowlisting

A Netskope admin can restrict REST API workflow access based on different roles for different functions using Role-based IP Allowlisting.

Enhanced RBAC Authorization Service

Enhanced RBAC (RBAC v3) role-based access control with more functional controls and uniform authorization for both WebUI and REST API based interactions.

This release introduces service accounts for use in automation without any risk of these accounts being able to access the web UI.

API access tokens are now issued to a user or a service account (instead of at the tenant level) along with expiry/renewal workflow.

The web admin lifecycle can also be managed more securely by integrating SCIM with the enterprise IdP.

A fully redesigned, next-generation “API First” web UI for identity and access management makes consistent application of roles to human and non-human entities easier than ever before.

These features are deployed during the Netskope Management Plane maintenance window. Depending on your location it may not be immediately available. Once the maintenance window closes you will have full access/visibility.

App Category Deprecation

App Category field has been deprecated. It is no longer available in the filters, table column and CSV exports on the Inventory and Findings pages.

Enhancements to Predefined Rules and Templates

Recent updates for SSPM rules are as follows:

New Predefined Rules

2 new predefined rules are shipped with this release. It covers the following categories:

• Apps:

  • AzureAD / Entra ID: 2

• MITRE ATT&CK: 

  • Discovery: 2

• Security Domains: 

  • IAM: 2

Existing Rule Updates

• Microsoft 365: 1

Support for Microsoft 365 SCuBA 1.0

SSPM now supports CISA M365 Secure Configuration Baselines 1.0 (SCuBA), while SCuBA 0.1 has been deprecated. The following benchmarks replace SCuBA 0.1:

• SCuBA-Defender_1.0

• SCuBA-EntraID_1.0

• SCuBA-Exchange-Online_1.0

• SCuBA-SharePoint_And_OneDrive_1.0

• SCuBA-Teams_1.0

Child Object Info for Archive in Malware Details

You can now see information for archive child sub-components and files in the Advanced Heuristics section of Malware Incidents.

To learn more: Advanced Heuristic Analysis.

Support for IPs/Subnets/IP Ranges Bypass for Android OS

Netskope Android App now supports a new bypassing mechanism for IPs/Subnets/IP Ranges using exclude routes supported in the Android VPN service.

Anti-tampering Enhancements

With version 125.0.0, Netskope restricts admins with higher system privileges to disable Netskope Client services.

To restrict disabling Client services, enable the following options under Settings > Security Cloud Platform > Netskope Client > Client Configuration in the tenant webUI:

• Password protect client uninstallation

• Protect client configuration and resources

Master Password Availability

With version 125.0.0, Master Password for disabling all Client services is available for all tenants.

To learn more: Client Configuration.

Revamped SaaS Security Posture Management documentation.

You will see new updates to our SSPM documentation to make it easier and faster to find what is needed!
Here’s what’s new:

• Revamped Landing Page – A fresh new look that highlights key SSPM features and provides a guided flow to help you get started quickly.
• Clearer Application & Compliance Listings – Easily see which SaaS apps and compliance standards are supported.
• Action-Oriented Structure – Reorganized and refined document titles to align better with how customers take action.
• Improved Content – Some sections have been rewritten for clarity, and keep actively enhancing more.
• New FAQ Section – Quick answers to the most common questions, all in one place.